Keystroke Biometric System
We have a computer program that captures key and mouse data.
The keystroke data captured by the program consists of the ID and duration of each key pressed,
and the transition time from one key press to the next.
The mouse information is similar - left or right mouse button pressed,
and the mouse button depression duration, etc.
This program will be extensively revised for appropriate experimental use.
Initially, we must ensure that the system can capture accurate timing information.
We are exploring keystroke biometric applications,
and their corresponding experimental procedures and system designs.
General information on biometric systems and performance evaluation can be found in textbooks and other references.
For these studies we will use the performance methodology and notation from the text,
Guide to Biometrics, by Bolle, et al. (Springer 2004).
These studies are in the area of pattern recognition and
for simplicity we will use the Nearest Neighbor classification method (see, for example,
the textbook Pattern Classification by Duda, Hart, and Stork (Wiley 2001)
and the website Nearest Neighbor Classifier)
with the Euclidean distance metric.
Keystroke Biometric Applications
The keystroke biometric has several possible applications.
One application is for hardening password entry by adding a keystroke authentication process
(accept/reject response) as a second stage following password matching before allowing user entry.
Thus, if the password is not entered in the normal keystroke pattern, the system could ask the user to reenter it.
For example, a user on a particular occasion might be drinking a cup of coffee
and be entering the password uncharacteristically with one hand.
The system, then, could reject the password, sending the user a message like,
"Please reenter your password in your normal manner," and after, say, three tries,
possibly rejecting the user entirely.
The user upon receiving the reject message would likely put down the coffee cup
and enter the password in his/her normal fashion in order to be accepted.
You task for this application is to design and then run an experiment to test this application.
The design and testing steps are as follows:
- Password constraints: 6-10 characters long, and you might want to limit the types of characters
(for example, uppercase involves the shift key that may cause a problem with other aspects of the system)
- Enrollment (training) data entry: collect 5 repetitions of UserID and Password from each of 10 subjects (50 samples total)
and collect 5 repetitions of UserID and Password from 5 subjects entering 2 other peoples information (50 samples total)
- Operational (testing) data entry: collect 5 repetitions of UserID and Password from each of the same 10 subjects
used for training (50 samples total),
and collect 5 repetitions of UserID and Password from 5 subjects entering 2 other peoples information
to simulate unauthorized access (use either different users or different target people than used for training,
50 samples total)
- Feature extraction process: decide what features (measurements) are made on the input data,
for example the feature vector might contain the key press durations and the key transition durations
(for example, 6+5=11 measurements for a 6 character password)
- Training process: average the feature vectors of the 5 training password samples for each of the 10 subjects
to obtain an average feature vector for each subject (10 average vectors total)
- Comparison method: use the Euclidean distance between an input password feature vector and the average feature vector
for that individual (true UserID) and normalize this distance by dividing by the length of the vector
(this is necessary because the passwords can vary in length)
- Decision process determination: determine a threshold for deciding whether to accept or reject the input password,
this threshold should accept most of the training authentic passwords and reject most of the training inauthentic ones
(to find the optimal threshold you might plot the distances, 50 authentic training distances and 50 inauthentic ones)
- Accuracy determination: using the threshold obtained above, count the sample test data (authentic and inauthentic)
that is correctly and incorrectly accepted or rejected to obtain the False Accept Rate (% inauthentic accepted)
and the False Reject Rate (% authentic rejected)
- Alternative decision process determination: if the accuracy measures determined above are poor, you can determine
a decision threshold for each of the 10 users rather than using a single common threshold
A second application is to identify an individual from his/her keystroke pattern on a sample of text input and editing.
Suppose, for example, there has been a problem with the circulation of offensive emails
from easily accessible desktops in a work environment.
The security department wants to reduce this problem by collecting keystroke biometric data
from all employees and developing a keystroke biometric identification system (one-of-n response).
The design and testing steps for this application are as follows:
Sample training and testing texts follow:
- Input: a sample text to be keyed in (and possibly edited) by the subject
with all error correction keystrokes being accepted as part of the data
- Enrollment (training) data entry: each of 10 subjects keys in (and possibly edits) the same sample text
- Operational (testing) data entry: each of 10 subjects keys in (and possibly edits) the training sample text again
and then another similar text
- Feature extraction process: the feature vector created from the input data consist of the following measurements
(they are subject to revision after reviewing samples of the data captured)
- the average and standard deviation key press durations for 9 frequently occuring letters of the alphabet
plus the space character (10+10 measurements).
In particular, we will use
the nine most frequent letters of words in the Concise Oxford Dictionary
(e, a, r, i, o, t, n, s, l) together with the space character.
Consider using the shift key in place of the 9th most frequent letter 'l'.
Note that for large text input we could use the full 26 letters of the alphabet plus the space character.
- the average and standard deviation transition durations between 10 common pairs of letters of the alphabet
In particular, we will use
the ten most frequent digrams from a portion of the Encyclopedia Britannica
(in, th, ti, on, an, he, al, er, to, or).
Consider using space-to-any-letter and any-letter-to-space in place of the 9th and 10th most frequent digrams.
Note that, although we could use all the 27x27 possible transitions, many would not occur or be poorly represented.
- the total number of keypresses for Space, Backspace, Delete, Insert, Home, End, Enter, Ctrl,
and all four arrow keys combined (9 measurements)
- the number of keypresses for Shift, separate counts for left and right keyboard locations (2 measurements)
- the total time to enter the text (1 measurement)
- the number of left mouse clicks (1 measurement)
- the number of right mouse clicks (1 measurement)
- the number of double left mouse clicks (1 measurement)
- this is a total of 55 measurements
- Comparison method: Nearest Neighbor classifier using Euclidean distance
between the feature vector from the training text and the testing text
- Decision process determination: the subject having the smallest distance is identified as the first choice perpetrator
- Accuracy determination: obtain and plot the percent correct
first choice, first and second choice, first through third choice, first through fourth choice, etc.
Editing instructions for these texts can be created
by specifying a reasonable number of replace, insert, and delete operations.
- Text 1: This is an Aesop fable about the bat and the weasels. A bat who fell upon
the ground and was caught by a weasel pleaded to be spared his life. The
weasel refused, saying that he was by nature the enemy of all birds. The bat
assured him that he was not a bird, but a mouse, and thus was set free.
Shortly afterwards the bat again fell to the ground and was caught by
another weasel, whom he likewise entreated not to eat him. The weasel said
that he had a special hostility to mice. The bat assured him that he was not
a mouse, but a bat, and thus a second time escaped. The moral of the story: it is wise to turn
circumstances to good account.
- Text 2: This is an Aesop fable about the wolf and the crane.
A wolf who had a bone stuck in his throat hired a crane, for a large sum,
to put her head into his mouth and draw out the bone.
When the crane had extracted the bone and demanded the promised payment, the wolf,
grinning and grinding his teeth, exclaimed:
"Why, you have surely already had a sufficient recompense,
in having been permitted to draw out your head in safety from the mouth and jaws of a wolf."
The moral of the story: in serving the wicked, expect no reward, and be thankful if you escape injury for your pains.
- Text 3: This is an Aesop fable about the mountain in labor.
A mountain was once greatly agitated. Loud groans and noises were heard,
and crowds of people came from all parts to see what was the matter.
While they were assembled in anxious expectation of some terrible calamity,
out came a Mouse. The moral of the story: don't make much ado about nothing.
Methodology for Developing the Keystroke Biometric System
The system will be modularized based on the key stages of pattern recognition systems,
and we will develop the desired program modules sequentially.
Such modularization in systems development is standard practice that
provides a clear separation of processing functionality
for ease of use, ease of maintainability, and ease of extensibility.
Our keystroke biometric system will contain three modules: data capture, feature extraction, and pattern classification.
The data capture program will first be developed and finalized (frozen).
The output of this program will be a raw data file of the keystroke timing data,
and we must ensure that the system captures accurate timing information.
Once this program is finalized, experimental data can be collected
while the other modules are being developed for particular applications.
The second module of the system will extract appropriate features and output a file
containing, for each record, the Subject ID and the feature vector.
Although a preliminary description of the features measurements for the second application are presented above,
these measurements need to be finalized.
Two preprocessing steps are performed on the features measurements, outlier removal and feature standardization.
Outlier removal consists of removing any measurement
that is more that two standard deviations from the mean, as obtained from the training data.
We standardize our measurements using the ranging method,
where raw measurement x is converted to x’ as follows:
x’ = (x - xmin) / (xmax - xmin)
using the min and max of the measurement over the samples in the training data.
This provides measurement values in the range 0-1 to give each measurement roughly equal weight.
The feature-vector output files will allow us to explore and compare various pattern classifiers on the same feature data.
The third module of the system will perform the pattern classification task.
Initially, we will use the nearest neighbor classifier with the Euclidean distance metric.
Finally, we might decide to create a fourth module to perform a statistical analysis of the results,
and thus separate the analysis of the results from the obtaining of the classification results.